Wikileaks Vault 7 Releases #Vault7

Wikileaks’ ‘Vault 7’ proves Big Brother and criminal hackers use the same tricks

Earlier this month, WikiLeaks unleashed the Vault 7 papers, a revealing insight into the tools and techniques used by the CIA. Their release caused a stir among the security community, but if you’re not working on the field, their relevance might not be immediately obvious.

Above all else, Vault 7 shouldn’t put you in a panic about the CIA — not if you’ve been paying attention, anyway. The most attention-grabbing techniques described in the papers aren’t anything new. In fact, they’ve been demonstrated publicly several times over. The revelation here is not the fact the CIA and NSA spy on both American and foreign citizens, but instead the incredible insight they – and presumably other spy organizations worldwide – have into cracking protections that most people consider secure.

A History of surveillance

“I would say that 100 percent of this is stuff that has been known to the security community for a while,” said Ryan Kalember, the senior vice president of cybersecurity strategy at security firm ProofPoint, in reference to the Vault 7 documents. “The Samsung Smart TV hack was demonstrated at security conferences several years ago, the vehicular hacks were demonstrated at BlackHat by quite a few different individuals on different vehicles.”

“Most of the things that have come out are slight variations on known techniques,” agreed James Maude, senior security engineer at Avecto. “There are a few targeted workarounds for antivirus vendors that weren’t previously known about — although similar exploits have been found in the past — and there were a couple of newer techniques for bypassing User Account Control on Windows.”

You don’t have to be a security professional to have heard about the techniques outlined in the Vault 7 papers. You might be surprised that the CIA is using these techniques, but you perhaps shouldn’t be, given that the organization was established for the purposes of gathering intelligence.

In the preface to the book Spycraft: The Secret History of the CIA’s Spytechs from Communism to Al-Qaeda, former director of the agency’s Office of Technical Service, Robert Wallace, describes the groups that comprised the organization when he joined its ranks in 1995. One was apparently responsible for the design and deployment of “audio bugs, telephone taps, and visual surveillance systems.” Another is said to have “produced tracking devices and sensors” and “analyzed foreign espionage equipment.”

The CIA is an organization that was set up for the purposes of surveillance and espionage. The Vault 7 papers aren’t revelatory in terms of what the CIA is doing — they’re revelatory in terms of how the agency is doing it. The way that the organization implements technology is changing with the times, and Vault 7 lets us track its progress.

Espionage evolves

Computers have revolutionized most industries over the past few decades, and that has in turn changed how spy organizations collect data from those industries. Thirty years ago, sensitive information typically took the form of physical documents, or spoken conversations, so spycraft focused on extracting documents from a secure location, or listening to conversations in room thought to be private. Today, most data stored digitally, and can be retrieved from anywhere the internet is available. Spies are taking advantage of that.

The lines have blurred between cybercrime and spycraft

According to Kalember, it’s “absolutely to be expected” that the CIA would move with the times. “If the information that you’re looking for exists in somebody’s email account, of course your tactics are going to move to spear-phishing them,” he explained.

Tactics like phishing might seem underhanded, in the reserve of criminals, but they’re used by spies because they’re effective. “There are only so many ways that you can get something to run on a system,” explained Maude. Indeed, if the CIA were to debut an unprecedented and highly effective method of snooping, it’s almost certain that criminal entities would be able to reverse-engineer it for their own usage.

“We’re in an environment where, particularly with the revelations from the Yahoo attack, the lines have blurred between cybercriminal tradecraft and spycraft,” said Kalember. “There’s one ecosystem of tools that has a big overlap.”

Intelligence operatives and cybercriminals are using the same tools for very similar purposes, even if their targets and their end goals might be very different. The practicalities of surveillance don’t change depending on the individual’s moral or ethical alignment, so there should be little shock when it emerges that the CIA is interested in a Samsung TV’s capacity to listen to conversations. In fact, exploits like that found in Samsung TV’s are of more interest to spies than to criminals. It’s not an exploit that offers immediate financial gain, but it does provide an excellent way to listen in on private conversations.

Aerial view of the CIA headquarters

“When we look at the CIA leaks, when we look at cybercriminal forums and the malware that I’ve looked at, the difference between a cybercriminal and an intelligence analyst is literally who pays their paycheck,” said Maude. “They all have a very similar mindset, they’re all trying to do the same thing.”

This melting pot allows operatives to disguise their actions, letting their work blend in with the similar tactics employed by criminals and other intelligence agencies. Attribution, or lack thereof, means that re-using tools developed by others doesn’t just save time — it’s a safer option all round.

Author unknown

“It’s well known within security circles that attribution looks great in reports and press conferences, but in reality, there’s very little value in attributing threats,” said Maude. “The value is in defending against them.”

The NSA has broad capabilities to gather up lots of different types of communications that are, by and large, unencrypted

Most surveillance is intended to be surreptitious, but even when an attempt is discovered, it can be very difficult to accurately trace it to its source. The CIA takes advantage of this fact by utilizing tools and techniques developed by others. By implementing someone else’s work — or better yet, a patchwork of others’ work — the agency can prompt questions about who’s responsible for its espionage.

“Attribution is something that has been a controversial subject in the private sector,” said Kalember. When security researchers are examining attacks, they can look at the tools that are used, and often where information was sent, to get an idea of who was responsible.

Delving further into the malware, it’s possible to get even great insight into its authors. The language used for text strings might provide a clue. The time of day that code was compiled might hint at their geographical location. Researchers might even look at debug paths to figure out which language pack the developer’s operating system was using.

Unfortuantely, these clues are easy to forge. “All of those things are well-known techniques that researchers can use to try and do attribution,” explained Kalember. “We’ve recently seen both cyber-criminal groups and nation state groups intentionally mess with those methods of attribution to create the classic false ‘flag type’ of scenario.”

He gave an example of the practice related to the malware known as Lazarus, which is thought to have originated in North Korea. Russian language strings were found in the code, but they didn’t make any sense to Russian speakers. It’s possible that this was a half-hearted attempt at misdirection, or perhaps even a double-bluff. The Vault 7 papers demonstrated that the CIA is actively engaging in this methodology to deceive those trying to track malware back to it.

“There was a big part of the Vault 7 leaks that focused on this program called UMBRAGE, where the CIA was pointing out the broad ecosystem of tools that were available for use,” said Kalember. “They appeared to be mostly trying to save themselves time, which a lot of people involved in this line of work do, by re-using things that were already there.”

UMBRAGE demonstrates how the CIA is monitoring trends to maintain its effectiveness in terms of espionage and surveillance. The program allows the agency to operate more quickly, and with less chance of being discovered — a huge boon to its endeavors. However, the Vault 7 papers also demonstrate how the organization has been forced to change its tactics to reassure those critical of its attitude towards privacy.

From Fishing Net to Fishing Rod

In 2013, Edward Snowden leaked a cavalcade of documents that unveiled various global surveillance initiatives being operated by the NSA and other intelligence agencies. The Vault 7 papers demonstrate how the Snowden leaks changed best practices for espionage.

“If you look at the Snowden leaks, the NSA has broad capabilities to gather up lots of different types of communications that were — by and large — unencrypted,” said Kalember. “That meant that without really being known to anybody, there was a tremendous amount of interesting information that they would have had access to, and they wouldn’t have had to take any risks to get access to any individual’s information that happened to be swept up in that.”

Put simply, the NSA was utilizing a widespread lack of encryption to cast a wide net and collect data. This low-risk strategy would pay off if and when a person of interest’s communications were intercepted, along with masses of useless chatter.

“Since the Snowden leaks we’ve really talked up the need for end-to-end encryption, and this has been rolled out on a massive scale, from chat apps to websites, SSL, all these different things that are out there,” said Maude. This makes widespread data collection far less relevant.

“What we’re seeing is that intelligence agencies are working around end-to-end encryption by going straight to the endpoint,” he added. “Because obviously that’s where the user is typing, encrypting, and decrypting the communication, so that’s where they can access them unencrypted.”

The Snowden leaks spearheaded an industry-spanning initiative to standardize end-to-end encryption. Now, surveillance requires a more precise approach, where the focus is on specific targets. That means accessing the endpoint, the device where the user is inputting or storing their communications.

Nothing digital is ever 100 percent secure

“The CIA’s Vault 7 leaks, by contrast to the Snowden leaks, describe almost entirely targeted attacks that have to be launched against specific individuals or their devices,” said Kalember. “They probably, in most cases, involve taking slightly greater risks of being caught and identified, and they’re much harder to do in purely clandestine terms, because it’s not being done upstream from where all the communications are occurring, it’s being done at the level of the individual and the device.”

This can be tracked directly to the Snowden leaks, via its status as a public service announcement regarding unencrypted communications. “The big thing that changed, that kind of precipitated this whole shift, was the rise of end-to-end encryption,” added Kalember.

What does this mean for the average person? It’s less likely that your communications are being intercepted now than it was a few years back.

The CIA and I

At the end of the day, worrying about the CIA spying on you as an individual is a waste of energy. If the agency has a reason to snoop on you, they have the tools to do so. It’s very difficult to avoid that fact, unless you plan to go entirely off the grid. Which, for most people, isn’t practical.

In a way, if you’re worried about the security of your data, the information included in the leak should be reassuring. With international espionage agencies and top cybercriminals using the same ecosystem of tools, there are fewer forms of attack to be concerned with. Practicing good security habits should protect you against the biggest threats, and some of the precautions you can take are simpler than you might expect.

A recent report on Windows vulnerabilities published by Avecto found that 94 percent of vulnerabilities could be mitigated by removing admin rights, a statistic that could help enterprise users keep their fleet of systems secure. Meanwhile, personal users can reduce their changes of being breached simply by looking out for phishing techniques.

“The thing with security is that nothing digitally is ever 100 percent secure, but you know there are measures you can take that make your security much better,” said Maude. “What the CIA leak shows us is that the measures you can take to defend yourself against cybercriminals using common ransomware tools are broadly the same measures you can take to defend against the CIA implanting something on your system.”

The Vault 7 papers aren’t a call for panic, unless you’re an individual that the CIA might already be interested in investigating. If knowing that the CIA can listen to your conversations through your TV scares you, then it probably doesn’t help to hear that career criminals who make a living through extortion and blackmail have access to the same tools.

Fortunately, the same defenses work just as well against both parties. When matters of online security hit the headlines, the takeaway is usually the same; be vigilant and be prepared, and you’ll most likely be ok.

WikiLeaks’ latest Vault 7 release contains a batch of documents, named ‘Marble’, which detail CIA hacking tactics and how they can misdirect forensic investigators from attributing viruses, trojans and hacking attacks to their agency by inserted code fragments in foreign languages. The tool was in use as recently as 2016. Per the WikiLeaks release:

"The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, --- but there are other possibilities, such as hiding fake error messages."

Grasshopper is provided with a variety of modules that can be used by a CIA operator as blocks to construct a customized implant that will behave differently, for example maintaining persistence on the computer differently, depending on what particular features or capabilities are selected in the process of building the bundle. Additionally, Grasshopper provides a very flexible language to define rules that are used to "perform a pre-installation survey of the target device, assuring that the payload will only [be] installed if the target has the right configuration". Through this grammar CIA operators are able to build from very simple to very complex logic used to determine, for example, if the target device is running a specific version of Microsoft Windows, or if a particular Antivirus product is running or not.

Grasshopper allows tools to be installed using a variety of persistence mechanisms and modified using a variety of extensions (like encryption). The requirement list of the Automated Implant Branch (AIB) for Grasshopper puts special attention on PSP avoidance, so that any Personal Security Products like 'MS Security Essentials', 'Rising', 'Symantec Endpoint' or 'Kaspersky IS' on target machines do not detect Grasshopper elements.

One of the persistence mechanisms used by the CIA here is 'Stolen Goods' - whose "components were taken from malware known as Carberp, a suspected Russian organized crime rootkit." confirming the recycling of malware found on the Internet by the CIA. "The source of Carberp was published online, and has allowed AED/RDB to easily steal components as needed from the malware.". While the CIA claims that "[most] of Carberp was not used in Stolen Goods" they do acknowledge that "[the] persistence method, and parts of the installer, were taken and modified to fit our needs", providing a further example of reuse of portions of publicly available malware by the CIA, as observed in their analysis of leaked material from the italian company "HackingTeam".

The documents WikiLeaks publishes today provide an insights into the process of building modern espionage tools and insights into how the CIA maintains persistence over infected Microsoft Windows computers, providing directions for those seeking to defend their systems to identify any existing compromise

Marble does this by hiding ("obfuscating") text fragments used in CIA malware from visual inspection. This is the digital equivallent of a specalized CIA tool to place covers over the english language text on U.S. produced weapons systems before giving them to insurgents secretly backed by the CIA.

Marble forms part of the CIA's anti-forensics approach and the CIA's Core Library of malware code. It is "[D]esigned to allow for flexible and easy-to-use obfuscation" as "string obfuscation algorithms (especially those that are unique) are often used to link malware to a specific developer or development shop."

The Marble source code also includes a deobfuscator to reverse CIA text obfuscation. Combined with the revealed obfuscation techniques, a pattern or signature emerges which can assist forensic investigators attribute previous hacking attacks and viruses to the CIA. Marble was in use at the CIA during 2016. It reached 1.0 in 2015.

The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, --- but there are other possibilities, such as hiding fake error messages.

The Marble Framework is used for obfuscation only and does not contain any vulnerabilties or exploits by itself.

Leaked Documents

Dark Matter

23 March, 2017

Today, March 23rd 2017, WikiLeaks releases Vault 7 "Dark Matter", which contains documentation for several CIA projects that infect Apple Mac firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA's Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain 'persistence' on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.

Among others, these documents reveal the "Sonic Screwdriver" project which, as explained by the CIA, is a "mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting" allowing an attacker to boot its attack software for example from a USB stick "even when a firmware password is enabled". The CIA's "Sonic Screwdriver" infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter.

"DarkSeaSkies" is "an implant that persists in the EFI firmware of an Apple MacBook Air computer" and consists of "DarkMatter", "SeaPea" and "NightSkies", respectively EFI, kernel-space and user-space implants.

Documents on the "Triton" MacOSX malware, its infector "Dark Mallet" and its EFI-persistent version "DerStarke" are also included in this release. While the DerStarke1.4 manual released today dates to 2013, other Vault 7 documents show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0.

Also included in this release is the manual for the CIA's "NightSkies 1.2" a "beacon/loader/implant tool" for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008.

While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization's supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise.

Symantec didn’t directly blame the CIA for the hacks, which occurred at unspecified dates, according to Reuters. The company also told Reuters that the targets were all government entities or had legitimate national security value, and were based in Europe, Asia, Africa and the Middle East.

But the WikiLeaks disclosures have added to widespread anxiety about online snooping and the erosion of digital privacy. Those fears stretch back beyond Edward Snowden’s revelations four years ago about NSA surveillance, and they hit a new high point in early 2016 when Apple battled the US government over access to iPhones. Hacked emails, meanwhile, became a hot-button issue in last year’s presidential election.

According to CNET, a CIA spokesman refused to comment on the report. The tech site went on to post the CIA’s comments following the initial WikiLeaks revelation about their hacking tools.

While the CIA didn’t reportedly address WikiLeaks’ revelations directly, they did express that “the American public should be deeply troubled by any WikiLeaks disclosure designed to damage the Intelligence Community’s ability to protect America against terrorists and other adversaries. Such disclosures not only jeopardize US personnel and operations, but also equip our adversaries with tools and information to do us harm.”

The information WikiLeaks revealed had far-reaching effects, including further doubt cast onto the left’s Russia election hacking narrative as the intelligence community’s ability to doctor attacks to point the finger at another country — such as Russia — was outed.